The remarkable success that Chinese state-sponsored groups have had in infiltrating U.S. government, military and corporate networks in recent years should not be mistaken as a sign that China is gaining technical superiority over the U.S. in cyberspace, security experts said.
Chinese state-sponsored hacking groups are no more -- or less -- sophisticated than criminal and politically motivated cyber groups anywhere else. What has made them different is the way they target victims, their persistence and their ability to stay hidden in a breached network for extended periods of time.
The Pentagon on Monday released a report accusing China of engaging in cyberespionage as a way of finding and stealing information that could be used to modernize its defense and high-technology industries.
The unusually candid report warned of Chinese policymakers and military planners using stolen information to build a picture of U.S. defense networks, logistics and related military capabilities that could be exploited during a crisis. The espionage activities are helping China build a sophisticated electronic warfare capability designed to neutralize U.S. technological superiority in traditional warfare and other areas, the report cautioned.
The report marked the first time the U.S government has officially said what many people in the private sector, and even within the government, have said for years about the Chinese government's support for cyberespionage.
As ominous as the tone of the report is, the reality is more mundane, according to several security experts.
"The Chinese don't have super-duper techniques," said John Pescatore, director of emerging security trends at the SANS Institute in Bethesda, Md. "They are not smarter in software than us. If they were, we would see them starting up new companies" instead of engaging in espionage, Pescatore said.
While state-sponsored hackers in China likely have an arsenal of attack techniques and zero-day assaults that they can unleash, in most cases, they have only had to use common attack tools and exploit known vulnerabilities to gain a foothold on a target network.
"It's not that the Chinese have some unbeatable way of breaking into a network. What is innovative is their targeting," Pescatore said. U.S. contractors and defense companies that are often the target of Chinese espionage efforts should not be too concerned about where the attacks are coming from, he said. Instead, they should simply focus on shutting down the basic vulnerabilities and configuration errors that enable attackers to breach their networks.
"What we have definitely seen from China over the years is that they use the least amount of force necessary to accomplish their goals," said Dan McWhorter, managing director of threat intelligence at security firm Mandiant. "If you are not very savvy at keeping people out, they will use the lowest level of tools and their easiest means to get in. If you are a sophisticated company, they will up their game."
Mandiant in February released a detailed report identifying a unit of the People's Liberation Army (PLA) of China as the source of a systematic cyberespionage campaign against the U.S. and several other countries since at least 2006. According to the report, over the past few years, the attackers breached the defenses of more than 140 large companies in 20 major industries that China considers to be of strategic value.
The report has been widely lauded for its depth of information and is believed to have provided the impetus for the U.S. government's decision to come out this week and officially accuse China of cyberespionage.
In addition to studying the PLA unit, Mandiant tracked about 25 other apparently state-sponsored hacking groups within China and found them to have varying degrees of technical skill and sophistication.
"There's a broad array of capabilities inside China," ranging from the very sophisticated to the average, McWhoter said. He added that he has little doubt that China has the skills to develop a Stuxnet-like piece of malware, if it wanted to. Stuxnet is the notorious malware that was used to sabotage computers running centrifuges at Iran's uranium enrichment facility in Natanz. The malware is widely believed to have been jointly developed and deployed by U.S and Israeli intelligence operatives.
For the most part, the approach Chinese hackers have used is to quietly penetrate U.S. networks using spearphishing and other low-tech methods, and then remain hidden and extract data over extended periods of time.
Many hackers operating out of China have become adept at stealing legitimate corporate network credentials and using those to log in and move around a target network just like an employee with legitimate access would, McWhorter said.
Once the attackers have access to such credentials, they are quick to erase all signs of a break-in, so it becomes difficult for a company to even know it has been compromised.
"If you can obtain legitimate VPN credentials and start logging in as a real person, the situation becomes very difficult" for the targets, McWhorter said. Hackers are often able to extract huge quantities of data through the VPN tunnel without attracting any suspicion, he said.
Even when companies discover a breach, they have to exercise great care not to tip off the hackers and drive them even deeper into the network, he said.
In contrast to the work of gangs of cybercriminals operating out of Europe, most of the malicious hacking activity from China appears to be focused on industrial espionage and theft of trade secrets. When Chinese hackers have had opportunities to grab individuals' financial and personally identifiable information, they have generally opted to leave such data alone, he said.
"Almost everything we track out of China is state-sponsored," McWhorter said. "It's a whole different genre of crime compared to what tends to come out of places like East Europe. Persistence isn't a big deal to East European gangs. Their approach has been to smash the glass, grab the jewelry and run. They are not there to be stealthy. They are not there to remain hidden for months and years."
The best measurement of the capability of the adversary isn't always the sophistication of the malware used, said Rocky DeStefano, founder and CEO of security analytics firm Visible Risk. Often, the tactics employed by the adversary to maintain or advance control within the network in response to defender activities are important as well.
So too is the actual information, people or systems that are being targeted by the hackers. Were the hackers after "only the latest updates to your most advanced research?" he asked "Or was it a general dump of information?"
Based on such measures, Chinese hacking groups would appear to rank behind the U.S., Israel and the U.K in terms of raw capability, DeStefano said.
"At the end of the day, it's not about latent vulnerabilities or advanced attacks," said Anup Ghosh, founder and CEO of security firm Invincea. "It's about what works for the least amount of effort or expertise required."
For the past several years, there has been a systematic effort to compromise of all major sectors of the U.S. economy. "To scale to this size and scope, there is necessarily heavy re-use of known vulnerabilities and their exploits. These often work because of the difficulty in patching software particularly in the enterprise space," Ghosh said.
Though the perpetrators of these exploits may be different, the methods used to compromise computer systems are shared among cybercriminals and nation states. The bottom line, said Ghosh, "is if you can be successful with conventional toolkit exploits, you use them instead of burning zero-days."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is firstname.lastname@example.org.